cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksey Yeschenko (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-5651) Custom authentication plugin should not need to prepopulate users in system_auth.users column family
Date Tue, 18 Jun 2013 08:07:22 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-5651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686487#comment-13686487
] 

Aleksey Yeschenko commented on CASSANDRA-5651:
----------------------------------------------

This is done how it's done for two reasons:

1. User existence validation. We don't want someone to accidentally grant/revoke/make superuser
a non-existent user, silently, then have that user created later and have these accidental
permissions. We chose to keep the registry in Cassandra itself because there are cases where
an authenticator itself cannot answer the question (Auth.isExistingUser()) easily (with Kerberos,
for example).

2. Superuser status management. For every implementation to not reinvent the wheel, Cassandra
manages it itself.

So it's not there just for authentication purposes, it bridges different authenticator/authorizer
implementations, too. So it's not as simple as " another boolean method similar to IAuthenticator.requireAuthentication()
so that custom authentication plugin can skip this isExistingUser check if needed".
                
> Custom authentication plugin should not need to prepopulate users in system_auth.users
column family
> ----------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-5651
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-5651
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.5
>         Environment: RHEL 6.3, jdk 1.7
>            Reporter: Bao Le
>
> Current implementation in ClientState.login makes a call to Auth.isExistingUser(user.getName())
if the AuthenticatedUser is not Anonymous. This involves querying system_auth.users column
family.
> Our custom authentication plugin does not need to pre-create and store users, and it
worked fine under 1.1.5. On 1.2.5, however, we run into authentication problem because of
this.
> I feel we  should either do this isExistingUser check inside IAuthenticator.authenticate,
or expose another boolean method similar to IAuthenticator.requireAuthentication() so that
custom authentication plugin can skip this isExistingUser check if needed. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message